Ask HN: Are there any security issues when connecting linux to ActiveDirectory?

2 points by tapia ↗ HN
I work in an institute of a university in Germany, where I do mainly research. Since the institute is too large, they developed an IT-infrastructure which is independent from the rest of the university. The people of other institutes can normally choose which OS they want to have in their computer, but that is not a option for us. We have to use Windows, since all the servers are Windows (crazy, isn't it?) and all what the sysadmins have ever known is Windows. This makes me lose incredible amounts of productive time that I have to put into making things work, which in Linux would be very easy (like compiling some python libraries or automating some simple processes).

I can agree that most people can be happy with Windows, but in research you need to have some freedom to explore different things and not have to lose 3 hours before giving up with the compilation of some cool library you want to try because you were not able to make gcc work correctly in Windows.

Of course I have asked numerous times whether it would be possible to let me install a Linux distribution in my work computer, but they always come with some vague answer about security or that they just don't do Linux. My understanding is that I could not do any more damage that the one I could do with the Windows computer, since the user rights remain the same.

I know that you can connect a Linux computer to a the ActiveDirectory so you can have the same user as in Windows and to access the shared drives and get Email working as well. So my question is the following: is there really a security problem if I do install a Linux distribution and connect it to the ActiveDirectory? And if so, how big is the problem and what would it take to solve it?

Thanks!

(Edit: small typo)

2 comments

[ 3.3 ms ] story [ 17.4 ms ] thread
Commercial products exist for this purpose, such as Power Broker:

https://www.beyondtrust.com/products/powerbroker-identity-se...

In addition, it's involved but possible for an experienced user to set up AD authentication on Linux.

All AD really amounts to is a database; the endpoint (computer, server, whatever) performs a query, AD produces a response. That can be as a simple as 'is this username/password combination valid?' to 'where in the domain does this computer fit and what rights does it have?' AD allows for other nice features like Group Policy enforcing consistent configuration on every desktop. It also implements Kerberos-based authentication for better security.

Ergo, the only security issue I can foresee is that the query is done over unsecured means; AD uses LDAP as its primary protocol, which in its native form is plaintext. So your computer could conceivably send plaintext login information over the wire. However, most sysadmins will disable this and only support LDAP over SSL (LDAPS) which is encrypted. Most Linux LDAP implementations support running it over SSL.

A second concern is that the Linux machine does not implement Kerberos, and instead uses the fallback to NTLM authentication; if this is the case, your sysadmins should have disabled it. Kerberos is supported on Linux, and is a bit more involved when joining a machine manually, but has equivalent security to Windows.

A Linux machine joined to AD is no less secure than a Windows machine, and can in theory be more secure, since Linux has traditionally had much more strict separation of privileges, preventing ordinary users from making system-wide changes. On the other hand, other aspects of Windows security, especially in a network sense, don't translate especially well to Linux (e.g. Access Control Lists). This won't reduce security, in fact will more likely enforce it, but may make it inconvenient for the end user to work around some of these differences.

In short, there is no practical security risk in running a Linux machine on a Windows domain. Many sysadmins will push back on the idea mostly out of lack of experience with Linux, or the perception that they will need to support it. Obviously each organisation has their own policies, but from a security POV, there is no identifiable risk.